From initial study about tcp/ip and OSI layer study, we learned the concept of layered approach of network communication and how segment and packet and frame get encapsulated and decapsulated from one layer to another. In 802.11 communication everything from layer 7 (application layer) down to layer 3 (network layer) is called MSDU (Mac service data unit) with a max size of 2304 bytes plus encryption overhead (8 bytes for WEP, 20 bytes for TKIP and 16 bytes for AES). These 2304 bytes are encapsulated at layer 2 to form MPDU (Mac Protocol data unit), as you can imagine MPSU consists of MAC header in front (30 bytes) with encapsulated MSDU and a frame check sequence (4bytes) at the end.

I will explore the MAC header portion of the MPDU in this writing and why knowing this information can be very helpful in troubleshooting some of the critical wireless issues.

breaking down 802.11 frame

Let’s go through each of these fields of MAC header and explore its purpose.

Frame control consist of following fields

Protocol field – Since there is only one 802.11 standard, this field is all 0, but can be used in future, for any new standards which might be backwards compatible with 802.11.

Type – This is interesting, wireless LAN has majorly 3 types of frames, management frames (00), control frames (01) and data frames (10), since its 2 bit value it’s still leaves us with 11, which is currently reserved.

Sub-Frame – each of these frame types can have multiple sub frame types which leads to this field, detailed description with bit value is shown below in this sub-frame table I found.

breaking down 802.11 frame-2

AN example capture for association request is shown below with filter wlan.fc.type_subtype == 0x0000, similar captures can be used in wireshark to find any specific frame and collect information about the wireless network.

breaking down 802.11 frame-3

To DS from DS – these frames define direction of the travel of frames. To understand this, its important to understand that unlike 802.3 frame header 802.11 frame header has 4 mac addresses, which are:

source address – mac address of wireless client from where the communication is sourced.

transmitter address – device that transmits wireless frames over air (in most case source address and transmitter address is same, unless a wired PC is connected on second Ethernet port of AP and is trying to communicate)

Receiver address – mac of device that receive information over air, in most cases AP, in Ad-hoc connections it can be destination address.

Destination address – mac of device where the frame is destined for.


Frame is not intended to leave the wireless network for e.g. a beacon and probe frame, with is limited over wireless


Frame direction is from distribution system downstream to wireless client.


Frame direction is from wireless client upstream to distributed system


Frame direction is between 2 distributed systems, for e.g. a wireless bridge which connects two distributed systems together.

More Frag – used when the data or management frame is sent in multiple fragments then this bit is 1 (ONE), for all other frames its set to 0 (ZERO)

Retry – one of the most important bit to identity the behavior of wireless infrastructure, if set to 0 means the original management or data frame is being received, if set to 1 then a retransmitted management of data frame is being received. It happens when the unicast frame has not received acknowledgement. It can be influence by physical layer (Multipath, RF interference, and low SNR), or data link layer (hidden node, near/far, mismatched power settings, and adjacent cell interference). Data over wireless can withstand 7% retransmission, VoWiFi requires less than 2% retransmission. These values are important when performing a survey and setting success criterion.

More Data – this bit is related to Power Mgmt field, AP can buffer data for multiple  client, AP includes the association ID of these client in traffic indication map field (TIM) of the beacon frame, when client receives this beacon frame, and see its own association ID, it knows it has some data to receive. So client sends a PS-POLL message to AP. AP sets the More Data field to 1 start to send a frame to client. When Client see more data field set to 1 it knows AP has more data buffered for it and sends another PS-POLL, this process continues till all buffered data is received by client.

WEP (now called protected Frame)  means MSDU payload of the data frame is encrypted. Management frames are usually not encrypted. Cisco support client MFP on clients compatible of Cisco Compatibility extension v5 (which most client today are not)

Order not used today i.e. set to 0. Set to 1 to enforce QOS from a higher layer, so that the client process frame in a specific order.

Duration ID has following function :

  • 0-13bits – represent value from 0 – 32767, defines time in microseconds. Since wireless is a hub like communication, when data is transmitted over air, all clients can receive it and they can read the duration id of current transmitting station to determine how long they have to wait before starting to send. The listening station do this by setting their NAV to duration id of current sending frame and count to 0

NOTE – this rule do not apply to receiving station i.e. AP is also listening and looking at the duration ID but it will not reset its NAV to duration id because it needs to send back ACK.

  • For legacy power management, this field can be used as association identifier.

Address fields and their function discussed during To DS and From DS bit function. This is significant to understanding direction of data flow.

Sequence Control has 2 subfields

Sequence number – value 0-4095, each frame associated with a MSDU has a sequence number and this is referred by receiver to arrange the frames in right order.

Fragment number – value 0-16, if a MSDU is divided into multiple frame, then each frame has a fragment number to reassemble these fragmented frames. Its set to 0 when frame is not fragmented.

breaking down 802.11 frame-5

Network Data (Frame body)

Depends on type of frame, control frame does not even have a frame body

Management frame has a frame body but do not carry upper layer information.

Data frame has frame body with upper layer information.

Usually this field is 2304 bytes long without encryption

With WEP this field is 2304+8 = 2312 bytes long

With TKIP this field is 2304+20 = 2324 bytes long

With AES this field is 2304+16 = 2320 bytes long


Frame Check Sequence (FCS)

Is a 32-bit CRC, the sending station performa a calculation on the entire frame and calculates a number and stores in the FCS field. Receiving station will do a calculation on the received frame and if the calculation is equal to the value stored in FCS field, then no alteration to original frame has happened and frame is not corrupted.


I hope you enjoyed reading it as much as I enjoyed writing it, feel free to comment !